CVE-2023-32700: luatex-1.17.0 update - tex-live mailing list

• Archives for this list.
• More information about this list, or all TUG lists (or TUG home page).

Karl Berry karl at freefriends.org
Tue May 2 23:26:29 CEST 2023

• Previous message: [EXT] Explanation about update to luatex received via tlmgr
• Next message: luatex-1.17.0 update
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

FYI: some issues have been found in luatex (obscure ways to work around some security features; thanks to Max Chernoff). Luigi has committed fixes to the sources, and we are rebuilding now. The new luatex version is 1.17.0. All four luatex binaries (luatex luahbtex luajitex luajithbtex) are affected. The different platforms will come in as the respective builders have time; so far, x86_64-linux and *-netbsd have been updated.

The change that’s most likely to be noticeable is that the socket library is now disabled by default; a new option --socket enables it, as well as --shell-escape (not --shell-restricted). In addition, the mime library is now always available, and new functions os.socketsleep and os.socketgettime are also always available. I will put a more detailed summary at https://tug.org/texlive/bugs.html after the binaries are committed.

The new binaries do not, so far as I know, even require a .fmt rebuild, though tlmgr will make that happen anyway as a matter of course with a normal installation.

Good luck to us all, Karl

• Previous message: [EXT] Explanation about update to luatex received via tlmgr
• Next message: luatex-1.17.0 update
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the tex-live mailing list.